ALIYUN::VPC::IpsecServer类型用于创建IPsec服务端。

语法

{
  "Type": "ALIYUN::VPC::IpsecServer",
  "Properties": {
    "LocalSubnet": String,
    "EffectImmediately": Boolean,
    "ClientIpPool": String,
    "VpnGatewayId": String,
    "IpsecConfig": Map,
    "Psk": String,
    "IkeConfig": Map,
    "IpsecServerName": String,
    "PskEnabled": Boolean
  }
}

属性

属性名称 类型 必须 允许更新 描述 约束
LocalSubnet String 本端网段,指需要和客户端网段互连的VPC侧的网段。 多个网段之间用半角逗号(,)分隔,例如:192.168.1.0/24,192.168.2.0/24。
EffectImmediately Boolean 是否删除当前已协商成功的IPsec隧道并重新发起协商。 取值:
  • true:配置完成后立即进行协商。
  • false(默认值):当有流量进入时进行协商。
VpnGatewayId String VPN网关ID。
IpsecConfig Map 第二阶段协商的配置信息。 更多信息,请参见IpsecConfig属性
IkeConfig Map 第一阶段协商的配置信息。 更多信息,请参见IkeConfig属性
ClientIpPool String 客户端网段,为客户端虚拟网卡分配访问地址的地址段,不是指客户端已有的内网网段。 当客户端通过SSL-VPN连接访问本端时,VPN网关会从指定的客户端网段中分配一个IP地址给客户端使用。

该网段不能与LocalSubnet地址段冲突。

IpsecServerName String IPsec连接的名称。 长度为2~128个字符,必须以英文字母或汉字开头,不能以http://https://开头。可包含英文字母、汉字、数字、半角句号(.)、下划线(_)和短划线(-)。
Psk String 预共享密钥认证方式。 用于IPsec VPN网关与用户网关之间的身份认证。

默认情况下会随机生成,也可以手动指定密钥。

长度不超过100个字符。
PskEnabled Boolean 是否开启预共享密钥认证方式。 取值:
  • true:开启。
  • false:关闭。

IpsecConfig语法

"IpsecConfig": {
  "IpsecPfs": String,
  "IpsecEncAlg": String,
  "IpsecAuthAlg": String,
  "IpsecLifetime": Integer
}

IpsecConfig属性

属性名称 类型 必须 允许更新 描述 约束
IpsecPfs String 转发所有协议的报文。第二阶段协商使用的Diffie-Hellman密钥交换算法。 取值:
  • group1
  • group2(默认值)
  • group5
  • group14
  • group24
IpsecEncAlg String 第二阶段协商的加密算法。 取值:
  • aes(默认值)
  • aes192
  • aes256
  • des
  • 3des
IpsecAuthAlg String 第二阶段协商的认证算法。 取值:
  • md5
  • sha1(默认)
IpsecLifetime Integer 第二阶段协商出的SA的生存周期。 取值范围:0~86,400。

单位:秒。

默认值:86,400。

IkeConfig语法

"IkeConfig": {
  "IkeAuthAlg": String,
  "LocalId": String,
  "IkeEncAlg": String,
  "IkeVersion": String,
  "IkeMode": String,
  "IkeLifetime": Integer,
  "RemoteId": String,
  "IkePfs": String
}

IkeConfig属性

属性名称 类型 必须 允许更新 描述 约束
IkeAuthAlg String 第一阶段协商的认证算法。 取值:
  • md5
  • sha1(默认值)
LocalId String VPN网关的标识。 长度不超过100个字符,默认值为VPN网关的公网IP地址。
IkeEncAlg String 第一阶段协商的加密算法。 取值:
  • aes(默认值)
  • aes192
  • aes256
  • des
  • 3des
IkeVersion String IKE协议的版本。 取值:
  • ikev1
  • ikev2(默认值)
IkeMode String IKE版本的协商模式。 取值:
  • main(默认值)
  • aggressive
IkeLifetime Integer 第一阶段协商出的SA的生存周期。 取值范围:0~86,400。

单位:秒。

默认值:86,400。
RemoteId String 用户网关的标识。 长度不超过100个字符,默认值为用户网关的公网IP地址。
IkePfs String 第一阶段协商使用的Diffie-Hellman密钥交换算法 取值:
  • group1
  • group2(默认值)
  • group5
  • group14
  • group24

返回值

Fn::GetAtt

  • IpsecServerId:IPsec服务端ID。
  • IpsecServerName:IPsec服务端名称。

示例

JSON格式

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "LocalSubnet": {
      "Type": "String",
      "Description": "The local network segment refers to the network segment on the VPC side that needs to be interconnected with the client network segment. Use half-width commas (,) to separate multiple network segments, for example: 192.168.1.0/24,192.168.2.0/24."
    },
    "EffectImmediately": {
      "Type": "Boolean",
      "Description": "true: Apply the new configuration and trigger a reconnection immediately. \nfalse: Trigger a reconnection only when network traffic occurs. (The reconnection may cause the network to be unavailable for a brief moment)",
      "AllowedValues": [
        "True",
        "true",
        "False",
        "false"
      ]
    },
    "ClientIpPool": {
      "Type": "String",
      "Description": "Client network segment refers to the address segment that assigns access addresses to the virtual network card of the client. Note: The client network segment cannot conflict with the VPC side network segment."
    },
    "VpnGatewayId": {
      "Type": "String",
      "Description": "VPN gateway instance ID."
    },
    "IpsecConfig": {
      "Type": "Json",
      "Description": "Negotiation parameter configuration in the second phase."
    },
    "Psk": {
      "Type": "String",
      "Description": "Pre-Shared key. Used for identity authentication between the VPN gateway and the client. A 16-bit random string is randomly generated by default, or you can manually specify the key. The length is limited to 100 characters."
    },
    "IkeConfig": {
      "Type": "Json",
      "Description": "Negotiation parameter configuration in the first phase."
    },
    "IpsecServerName": {
      "Type": "String",
      "Description": "The value must be 2 to 128 characters in length and start with a letter or Chinese character. It can contain digits, underscores (_), and hyphens (-)."
    },
    "PskEnabled": {
      "Type": "Boolean",
      "Description": "Whether to enable the pre-shared key authentication method. Only the value is true, which means that the pre-shared key authentication mode is enabled.",
      "AllowedValues": [
        "True",
        "true",
        "False",
        "false"
      ]
    }
  },
  "Resources": {
    "IpsecServer": {
      "Type": "ALIYUN::VPC::IpsecServer",
      "Properties": {
        "LocalSubnet": {
          "Ref": "LocalSubnet"
        },
        "EffectImmediately": {
          "Ref": "EffectImmediately"
        },
        "ClientIpPool": {
          "Ref": "ClientIpPool"
        },
        "VpnGatewayId": {
          "Ref": "VpnGatewayId"
        },
        "IpsecConfig": {
          "Ref": "IpsecConfig"
        },
        "Psk": {
          "Ref": "Psk"
        },
        "IkeConfig": {
          "Ref": "IkeConfig"
        },
        "IpsecServerName": {
          "Ref": "IpsecServerName"
        },
        "PskEnabled": {
          "Ref": "PskEnabled"
        }
      }
    }
  },
  "Outputs": {
    "IpsecServerId": {
      "Description": "IPsec server ID.",
      "Value": {
        "Fn::GetAtt": [
          "IpsecServer",
          "IpsecServerId"
        ]
      }
    },
    "IpsecServerName": {
      "Description": "IPsec server name.",
      "Value": {
        "Fn::GetAtt": [
          "IpsecServer",
          "IpsecServerName"
        ]
      }
    }
  }
}

YAML格式

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  ClientIpPool:
    Description: 'Client network segment refers to the address segment that assigns
      access addresses to the virtual network card of the client. Note: The client
      network segment cannot conflict with the VPC side network segment.'
    Type: String
  EffectImmediately:
    AllowedValues:
    - 'True'
    - 'true'
    - 'False'
    - 'false'
    Description: "true: Apply the new configuration and trigger a reconnection immediately.\
      \ \nfalse: Trigger a reconnection only when network traffic occurs. (The reconnection\
      \ may cause the network to be unavailable for a brief moment)"
    Type: Boolean
  IkeConfig:
    Description: Negotiation parameter configuration in the first phase.
    Type: Json
  IpsecConfig:
    Description: Negotiation parameter configuration in the second phase.
    Type: Json
  IpsecServerName:
    Description: The value must be 2 to 128 characters in length and start with a
      letter or Chinese character. It can contain digits, underscores (_), and hyphens
      (-).
    Type: String
  LocalSubnet:
    Description: 'The local network segment refers to the network segment on the VPC
      side that needs to be interconnected with the client network segment. Use half-width
      commas (,) to separate multiple network segments, for example: 192.168.1.0/24,192.168.2.0/24.'
    Type: String
  Psk:
    Description: Pre-Shared key. Used for identity authentication between the VPN
      gateway and the client. A 16-bit random string is randomly generated by default,
      or you can manually specify the key. The length is limited to 100 characters.
    Type: String
  PskEnabled:
    AllowedValues:
    - 'True'
    - 'true'
    - 'False'
    - 'false'
    Description: Whether to enable the pre-shared key authentication method. Only
      the value is true, which means that the pre-shared key authentication mode is
      enabled.
    Type: Boolean
  VpnGatewayId:
    Description: VPN gateway instance ID.
    Type: String
Resources:
  IpsecServer:
    Properties:
      ClientIpPool:
        Ref: ClientIpPool
      EffectImmediately:
        Ref: EffectImmediately
      IkeConfig:
        Ref: IkeConfig
      IpsecConfig:
        Ref: IpsecConfig
      IpsecServerName:
        Ref: IpsecServerName
      LocalSubnet:
        Ref: LocalSubnet
      Psk:
        Ref: Psk
      PskEnabled:
        Ref: PskEnabled
      VpnGatewayId:
        Ref: VpnGatewayId
    Type: ALIYUN::VPC::IpsecServer
Outputs:
  IpsecServerId:
    Description: IPsec server ID.
    Value:
      Fn::GetAtt:
      - IpsecServer
      - IpsecServerId
  IpsecServerName:
    Description: IPsec server name.
    Value:
      Fn::GetAtt:
      - IpsecServer
      - IpsecServerName